[rohc] RE: draft-ertekin-rqts-hcoipsec-01.txt
"Jasani Rohan" <jasani_rohan@bah.com> Fri, 22 July 2005 14:21 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DvyOv-00072K-HE; Fri, 22 Jul 2005 10:21:21 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DvxLf-0002Gm-4i for rohc@megatron.ietf.org; Fri, 22 Jul 2005 09:13:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA13702 for <rohc@ietf.org>; Fri, 22 Jul 2005 09:13:53 -0400 (EDT)
Received: from mclean-vscan2.bah.com ([156.80.3.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Dvxpu-00050X-Du for rohc@ietf.org; Fri, 22 Jul 2005 09:45:10 -0400
Received: from mclean-vscan2.bah.com (mclean-vscan2.bah.com [156.80.3.62]) by mclean-vscan2.bah.com (8.11.0/8.11.0) with SMTP id j6MDDgS26059; Fri, 22 Jul 2005 09:13:42 -0400 (EDT)
Received: from mclnexbh01.resource.ds.bah.com ([156.80.7.151]) by mclean-vscan2.bah.com (SAVSMTP 3.1.7.47) with SMTP id M2005072209134209087 ; Fri, 22 Jul 2005 09:13:42 -0400
Received: from MCLNEXVS05.resource.ds.bah.com ([156.80.7.122]) by mclnexbh01.resource.ds.bah.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 22 Jul 2005 09:13:43 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 22 Jul 2005 09:13:44 -0400
Message-ID: <EF8F958E212B0F4FA1E797EDAB34A3E7D4DD28@MCLNEXVS05.resource.ds.bah.com>
Thread-Topic: draft-ertekin-rqts-hcoipsec-01.txt
Thread-Index: AcV4xknHZ+NGpKYrSJifTWoLoO9BsQV92YYw
From: Jasani Rohan <jasani_rohan@bah.com>
To: Stephen Kent <kent@bbn.com>, lars-erik.jonsson@ericsson.com
X-OriginalArrivalTime: 22 Jul 2005 13:13:43.0048 (UTC) FILETIME=[2F207080:01C58EBF]
X-Spam-Score: 0.8 (/)
X-Scan-Signature: 789c141a303c09204b537a4078e2a63f
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Fri, 22 Jul 2005 10:21:20 -0400
Cc: SKoKeef@missi.ncsc.mil, rohc@ietf.org, jon.peterson@neustar.biz, mankin@psg.com, Russ Housley <housley@vigilsec.com>, Christou Chris <christou_chris@bah.com>, Esposito Renee <esposito_renee@bah.com>, cabo@tzi.org, hartmans-ietf@mit.edu, jakohle@missi.ncsc.mil, respy@opnet.com
Subject: [rohc] RE: draft-ertekin-rqts-hcoipsec-01.txt
X-BeenThere: rohc@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Robust Header Compression <rohc.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rohc>, <mailto:rohc-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rohc@ietf.org>
List-Help: <mailto:rohc-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rohc>, <mailto:rohc-request@ietf.org?subject=subscribe>
Sender: rohc-bounces@ietf.org
Errors-To: rohc-bounces@ietf.org
Stephen: I have detailed below, how we envision inbound and outbound processing to work. These explanations should answer the questions posed in previous emails. Please provide us with feedback and comments in regards to the explanations below. Thanks SA ESTABLISHMENT: Currently, we are writing a draft detailing how IKE will need to be extended to support HC scheme and HC parameter negotiation. In addition, the draft will detail the appropriate HC "data items" that are associated to an SA. Specifically, the "HC Scheme" data item will indicate whether HC will be applied SA and if applied, which HC scheme will be used (i.e. NO COMPRESSION, ROHC, ECRTP, IPHC). "HC Scheme" is used during processing to determine whether a packet should be handed to the HC process or not and if HC is applied, to which HC process (i.e. ROHC, ECRTP, etc...) to hand the packet to. GENERAL OPERATION All traffic associated to an SA will either be compressed or not compressed. Based on which types of traffic would like to be compressed (established through policies)* and the types of traffic (i.e. IP/TCP, IP/UDP, IP/UDP/RTP) that can be compressed by the HC schemes on the IPsec devices, values for standard selectors ("Next Layer Protocol" & "Port") will be chosen to filter out the traffic that needs compression (additional selector values will be used in conjunction to define the traffic that is afforded security by the SA). *not all traffic benefits from HC and most HC schemes only support compression of certain types of traffic (i.e. IP/UDP/RTP, etc...) OUTBOUND PROCESSING: Traffic will be mapped to an SA based on selector values (including "Next Layer Protocol" & "Port"). The traffic is encrypted/authenticated according to the SA. Then... - If the "HC Scheme" data item (included with the SAD entry) indicates a compression scheme, then the traffic is handed to the HC process which will compress the traffic and then hand it back to IPsec for further processing. - If the "HC Scheme" data item indicates NO Compression, then the traffic continues through the normal IPsec processing. INBOUND PROCESSING: a) After an inbound packet passes through AH/ESP processing (Step 4 on Page 60 of I-D 2401bis) the packet can take one of either two routes: -If the SA indicates HC was applied, then the packet is handed to the HC process for decompression. Once the packet is decompressed it is passed to Step "b". -If the SA indicates HC was NOT applied, then proceed to Step "b". Note: Based on information retrieved from the SAD entry in Step 3a (Page 59 of I-D 2401bis) it can be determined whether traffic traversing the SA is compressed or not compressed, as this indication is associated to an SA b) Continue regular processing described in Step 4 on Page 60 of I-D 2401bis. Specifically "Then match the packet against the inbound selectors identified by the SAD..." COMMENTS: - Each SAD entry will need to have additional information related to HC, where would we need to specify that information (i.e. HCoIPsec draft, IPsec standard, etc...) ? - As of right now, we are not planning on using the ROHC uncompressed profile to carry uncompressed traffic on a ROHC-enabled SA, as this profile adds 1 or 2 bytes of overhead to each uncompressed packet. This decision will prevent the need to multiplex compressed and uncompressed traffic over a single SA and it allows all traffic traversing an SA to be processed in the same manner. - Only ECRTP requires an additional packet type field, which will be added as an extension to the ECRTP header (same approach used in ECRTP over MPLS I-D draft-ietf-avt-hc-mpls-reqs-03.txt). ROHC has self-describing headers, thus it does not require an additional header. Therefore, additional protocol numbers should not be required. Rohan Jasani Booz | Allen | Hamilton 703.377.4641 (office) 832.452.3241 (mobile) > -----Original Message----- > From: Stephen Kent [mailto:kent@bbn.com] > Sent: Friday, June 24, 2005 9:58 AM > To: lars-erik.jonsson@ericsson.com > Cc: Russ Housley; Jasani Rohan; Christou Chris; Ertekin Emre; > hartmans-ietf@mit.edu; cabo@tzi.org; mankin@psg.com; > jon.peterson@neustar.biz; rohc@ietf.org; Stephen Kent > Subject: RE: draft-ertekin-rqts-hcoipsec-01.txt > > Lars-Erik, > > >... > > > >I do not mean that you turn off ROHC, but what if you get > more flows to > >handle than you have negotiated support for, then there is a ROHC > >profile that can send the packets "ROHC-encapsulated" > >but with uncompressed headers. This profile can also be used > for e.g. > >packet flows using "new" transport protocols not yet > supported by ROHC. > > I'm not sure I understand your comment above. When we create > an SA we define the range of traffic flows that it will > accommodate, based on the 5 traffic selector types that IPsec > uses to distinguish traffic (S/D IP address, protocol, and > S/D ports, if applicable). Only traffic consistent with the > traffic selector values specified for an SA can be carried on > that SA, period. > > >In the draft, I saw multiplexing of compressed and > uncompressed header > >packets, and therefore I wanted to point out that this > multiplexing can > >be done with ROHC mechanisms, thereby avoiding the > unnecessary overhead > >from an additional multiplexing mechanism. > > The draft you cited is an individual submission. It was not > coordinated with the IPsec WG. It addresses the IPsec > requirement for inbound traffic demuxing by adding another > layer of header, but this has the potential to consume too > many protocol numbers, and thus may not be acceptable. There > is also the issue that mixing compressed and uncompressed > traffic on the same SA, and distinguishing them via the > presence of an added protocol layer may cause problems for > inbound processing, because support for nested processing is > an optional feature for IPsec implementations. > > >... > >I do not understand this comment. If you set up a tunnel > where you want > >to apply HC, you intend to compress all packets, right? Then > you will > >only have ROHC-packets in the tunnel, no packet type > identifier is then > >needed. > > See section 5.2 of 2501bis (now in the RFC editor's queue) > for an explanation of how inbound traffic is processed in > IPsec. It may be OK to handle HC-compressed traffic as you > suggest, but it is not immediately clear that this will work, > because of the underlying assumptions that IPsec makes in > support of access control. > > Steve > _______________________________________________ Rohc mailing list Rohc@ietf.org https://www1.ietf.org/mailman/listinfo/rohc
- [rohc] RE: draft-ertekin-rqts-hcoipsec-01.txt Lars-Erik Jonsson (LU/EAB)
- [rohc] RE: draft-ertekin-rqts-hcoipsec-01.txt Stephen Kent
- [rohc] RE: draft-ertekin-rqts-hcoipsec-01.txt Lars-Erik Jonsson (LU/EAB)
- [rohc] RE: draft-ertekin-rqts-hcoipsec-01.txt Jasani Rohan